VulnerableCode Vulnerability Details - VCID-t9gu-2vs3-g7cu

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-t9gu-2vs3-g7cu

Essentials
Severities (9)
References (11)
Severity details (8)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-t9gu-2vs3-g7cu
Aliases	CVE-2013-2506 GHSA-jp57-9j37-5476 OSV-90865
Summary	Permissions, Privileges, and Access Controls app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00171	https://api.first.org/data/v1/epss?cve=CVE-2013-2506
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
generic_textual	MODERATE	https://github.com/spree/spree_auth_devise
generic_textual	MODERATE	https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
generic_textual	MODERATE	https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2013-2506
generic_textual	MODERATE	https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
generic_textual	MODERATE	https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2013-2506
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml
		https://github.com/spree/spree_auth_devise
		https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
		https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d
		http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
		https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
		https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions
		https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
CVE-2013-2506		https://nvd.nist.gov/vuln/detail/CVE-2013-2506

No exploits are available.

Exploit Prediction Scoring System (EPSS)

Percentile	0.38055
EPSS Score	0.00171
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:36:08.047073+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/spree_auth/CVE-2013-2506.yml	38.6.0